A new malware downloader, AdvisorsBot, has been spotted affecting hospitality sector via email campaigns. It is being hosted by a hacker group going by the name TA555. The main targets have been restaurants, hotels and telecom sectors.
Researchers from Proofpoint were able to track it back since May 2018. Major victims are from United States. Under this attack, the email lures the victim into opening the attached Word document which contains malicious macros. The TA555 hackers have been using different email lures, such as the “double charge” lure targeting hotels, a “food poisoning” lure targeting restaurants and a “resume” lure targeting telecommunications organizations.
The name “AdvisorsBot” is based on early command and control (C&C) domains that all contained the word “advisors”. The malware is written in C, but the threat actor has recently created an interesting fork of the code by the name PoshAdvisor. It is another variant of the same malware which is coded entirely in PowerShell and .NET.
“Like most modern malware, AdvisorsBot employs a number of anti-analysis features. One of the most effective is the use of junk code–such as extra instructions, conditional statements, and loops–to considerably slow down reverse engineering,” Proofpoint researchers wrote in a blog. “To detect various malware analysis tools, AdvisorsBot takes a CRC32 hash of the system’s volume serial number and each running process name and compares them to a list of hardcoded hash values. If it finds a match, the malware exits.”
“While it remains to be seen whether this threat actor will continue to distribute AdvisorsBot, PoshAdvisor, or both in future campaigns, this pair of downloaders, with extensive anti-analysis features and increasingly sophisticated distribution techniques, warrant further investigation,” Proofpoint researchers said.
Trust Logix Cloud ATP for protection against such Malware attacks. Subscribe today for a free evaluation , drop in a mail to firstname.lastname@example.org for more information.